Question about NAT [newbie] - changing dest. address only

My clients have an access to the network via AS5300. At the moment we need
to change server (where connections are made) so decided to implement that
on the fly (too many users) and switch them to the new server using NAT
(dunno if it is possible). Clients are using application which connects them
to few servers on different ports. So we need to translate their old
destination server address (with destination port) to new server and new
port. But

- when connection is made to old IP address destination address should be
changed to the new one (destination port should be changed too)
- when connection is made to new IP address no chnages should be made.
- client address cannot be changed.

Advertisements

In article <crltco$mkl$>,
pawel <> wrote:
:My clients have an access to the network via AS5300. At the moment we need
:to change server (where connections are made) so decided to implement thatn the fly (too many users) and switch them to the new server using NATdunno if it is possible).

Did the client hosts need to traverse the AS5300 in order to access
the host using the old IP ? And do they still need to traverse the AS5300
to access the new IP ? If so, then static port translation can be used
[provided the AS5300 supports it.]

:Clients are using application which connects them
:to few servers on different ports. So we need to translate their old
:destination server address (with destination port) to new server and newort.

OK.

:But
:- when connection is made to old IP address destination address should be
:changed to the new one (destination port should be changed too)

Not a problem if the device has to be traversed.

:- client address cannot be changed.

OK.

:- when connection is made to new IP address no chnages should be made.

That part is tricky. Static PAT runs both ways, so outgoing traffic
from the host would normally have have the source port and address
translated [needs to do so in order that the replies come from
the right place.] If you did a direct connection to the new IP/port,
the return traffic would normally get translated back.

You say that the client address cannot be changed, but I'm not sure
what you mean by that. My first reading of that was that you were
referring to the infeasibility of going around to all the clients
and reconfiguring them in a short time. Now I'm not sure if that's
what you meant.

Would it be permissible that the client address that reached the
server was a translated -source- address for one of the two cases?
If it is, then there are approaches that you can take involving
policy based routing to a loopback interface that translates the source
IP from the client and and does not translate the destination IP and
port for the destination, with the clients that specified the old
IP and port having the destination IP and port translated but the
source IP being left alone. Then when the server replied, the
AS5300 would do policy based routing based upon the destination
address, sending the munged destination IPs through to the loopback
interface to have their destination IP translated back, but
the non-munged destinations would have the source port and IP translated
while the destination IP was left alone.

The main problem with this approach is that any IP logging or reverse
DNS gets mussed, and if you do dynamic port mapping (e.g., all the
source IPs get Port Address Translated to a single IP) then the server
would not be able to start new connections. However, you can get around
several of these issues by having the source addresses each translated
to a unique -static- IP address (with no Port Address Translation):
e.g., you could map 24.25.26.83 to 192.168.26.83 . The traffic
would then easily be trackable to particular hosts, and you can
do reverse IP mapping on the 192.168 form of the IP to get the
same result you would for the 24.25 form, and the server would be
able to start new coonnections back to the originating host
if need be.
--
I don't know if there's destiny,
but there's a decision! -- Wim Wenders (WoD)

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!